Recently we have disclosed new advisories related to the remote exploitation of Huawei smartphones.
The research that led to these findings was motivated by analyzing new interfaces for remote code execution on a mobile platform. After our work on exploiting Huawei’s Kirin via its baseband interface, we wanted to explore the possibilities of logic bugs as RCE vectors in a modern smartphone chipset, as opposed to memory corruption scenarios that are more common in public research. Logic bugs can be the most powerful because they have the potential to bypass almost all the exploit mitigations that are the typical focus these days, like ASLR, N^X, sandboxing parser code, etc.
Our research resulted in a 0-click remote code execution exploit. Demonstrating the usefulness of an exploit using only logic bugs, it worked without modification even on Huawei devices with Qualcomm Snapdragon chipsets! In addition, we chained together a few more logical bugs for further escalation, including getting code execution at TEE level.
The vulnerabilities we disclosed have all been reported to and patched by Huawei (see the advisories for the disclosure timelines).
The interested reader may find all the vulnerability details in our advisories:
CVE-2021-40045: Huawei Recovery Update Zip Signature Verification Bypass
CVE-2021-40055: Huawei OTA Insecure SSL Configuration Man-In-The-Middle Vulnerability
CVE-2021-37107: Huawei Peripheral DMA Memory Access Permission Bypass
CVE-2021-37109: Huawei Baseband MPU Security Protection Bypass via EDMA
CVE-2021-37115: Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via ASP DMA
CVE-2021-39992: Huawei Kernel Memory Access Permission Bypass via EDMA
In addition, you can find a slidedeck of the UnZiploc research presentation on our github. Last month we also had the opportunity to present this research at the QSS.
A video recording of the talk that we delivered is available here.